yurtesenHow does one contact a MOTU who is willing to sponsor a security related debdiff? I have been trying now over a week, and still feeling in the dark.04:36
amurrayhey yurtesen - can you please subscribe ~ubuntu-security-sponsors  to the relevant LP bug? 04:43
amurrayand out of interest - can you point me at the bug in question?04:44
sbeattieamurray: it's LP: #1915911 and sponsors is already subscribed04:44
ubottuLaunchpad bug 1915911 in tomcat9 (Ubuntu) "Tomcat9 package is old version with many security issues" [Undecided, Confirmed] https://launchpad.net/bugs/191591104:44
amurrayah cool - so pfsmorigo any chance you could take a peek at this as you are on community this week? otherwise maybe leosilva could take a look as he is on the community role next week so could get a head start on reviewing it to sponsor it04:46
yurtesenHello, and thank you for checking this out. Can the person who is checking this out put a message to bug report, if possible, with some time estimate? I am sorry, but I have been under some pressure. I keep hearing we should stop using Ubuntu because universe packages are not maintained at all and people were skeptical that Ubuntu would even allow outside help. I do not intend to 05:12
yurtesensound negative, it is what it is. I understand people are busy. But I would also like to make some other bugfixes (not security related) to make to `tomcat` package on 20.04 and 21.10 and 22.04. To summarize, I need something, a pointer which shows progress and all the time spent is not lost. (and this is not for me personally, it is because our company is using this package and they 05:12
yurtesencan't let work hours to go waste if nothing is happening)05:12
=== mirespace_ is now known as mirespace
sdezielyurtesen: the debdiff looks good to me, thanks for working on it! That said, I'm not a security team member so I can only encourage you to keep doing :)13:07
tomreynzlib-1.2.11 https://nvd.nist.gov/vuln/detail/CVE-2018-2503214:26
ubottuzlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032>14:26
mdeslaurtomreyn: yep, working on it15:13
mdeslaurtomreyn: thanks15:13
tomreyni assumed it would go into the next round, just wanted to push it a little bit :)15:19
=== Nokaji_ is now known as Nokaji
JanChow does a library like zlib still have bugs like that...22:13
jjohansen1you mean how does anything ever work ;)22:24
sarnoldhah yeah :)22:35
JanCno, seriously, this sounds like a bug that could be found with a formal analysis22:42
JanCI understand you can't do that on everything, but this is probably the most-used library in IT history22:44
sarnoldI only vaguely skimmed it, but I think it was stuffed behind a rarely-used #ifdef or similar22:45
JanCif it's rarely used, then how is it a problem?  :)22:48
sarnoldthat's why I only vaguely skimmed it :)22:49
mdeslauryeah, it's pretty incredible22:52
mdeslaurI particularly like the "It has lain in wait 13 years before being found!" comment in the commit, and now we're three years later without a new release that includes it22:53
mdeslaurI guess their waiting another 10 years so they can add the matching "13 years before being released!" comment22:54
mdeslaur(then we can go to "13 years before mitre updated the CVE!")22:55
sarnoldI can't remember now if it was zlib or gzip, but I remember tripping over a fuzzer bug when doing a security update half-dozen years ago23:01
sarnoldit was one of those packages where finding a flaw seems *so* unusual and unlikely that you suspect the build environment first23:02
tomreynApr 20, 2018 to Mar 26, 2022 is more like 4 years, if this matters.23:05
tomreyn* Mar 23, 202223:06

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!